Security Incidents mailing list archives

Lion Worm/crew.tgz

From: Alfred Huger <ah () SECURITYFOCUS COM>
Date: Fri, 23 Mar 2001 10:24:02 -0700

Neil Long <neil.long () computing-services oxford ac uk> mailed me and
mentioned that it might be worth pointing out that the SANS GIAC analysis
is not valid for the crew.tgz version that was sent to Incidents by
Andreas stling <andreaso () IT SU SE>

There is no t0rn rootkit involved and the root shell is on  1008 so their
Lionfind may be misleading.

Of course, they could be half a dozen variants on the loose by this stage.


VP Engineering
SecurityFocus.com
"Vae Victis"

Current thread:

Lion Worm/crew.tgz Alfred Huger (Mar 23)
- Re: Lion Worm/crew.tgz David Brumley (Mar 23)
- Re: Lion Worm/crew.tgz Andreas Östling (Mar 23)
- Re: Lion Worm/crew.tgz Joshua Krage (Mar 23)
  - Re: Lion Worm/crew.tgz Neil Long (Mar 24)
- Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
  - Re: Lion Worm/crew.tgz Andreas Östling (Mar 24)
    - Re: Lion Worm/crew.tgz Michael H. Warfield (Mar 24)
    - Re: Lion Worm/crew.tgz Dave Dittrich (Mar 26)
- Re: Lion Worm/crew.tgz John Jasen (Mar 26)
  - Re: Lion Worm/crew.tgz Cooper (Mar 26)

(Thread continues...)